Bugtraq mailing list archives
Re: MS Chap v2 analysis
From: paulle () MICROSOFT COM (Paul Leach)
Date: Wed, 7 Jul 1999 16:20:09 -0700
-----Original Message----- From: Burton Rosenberg [mailto:burtonr () citrix com] Sent: Wednesday, July 07, 1999 3:16 PM To: Paul Leach; BUGTRAQ () SECURITYFOCUS COM Cc: 'schneier () counterpane com'; 'mudge () l0pht com' Subject: RE: MS Chap v2 analysis the parallel structure of generating the challenge response (function ChallengeResponse() in www.ietf.org/internet-drafts/draft-ietf-pppext-mschap-v2-03.te x) cuts down the strength of the PasswordHash from 16 to 14 bytes. this should have been addressed in version 2. given challenge C of 8 bytes (or the "hidden challenge" of version 2), password hash P of 16 bytes, the response is: < DES_{P1} ( C ) | DES_{P2}(C) | DES_{P3}( C ) > where, P1 is the first 7 bytes of P, P2 is the second 7 bytes of P, and P3 is the last 2 bytes of P followed by 5 bytes of zeros. Break P3 by solving C' = DES_X( C ) for X given known C and C' by brute force over small number ( 2^16 ) of possibilities for X. This gives the last two bytes of P.
Correct. But since the best attack is against the passwords themselves, the reduction from 16 bytes to 14 bytes of strength from the password hash isn't the primary issue. Don't get me wrong -- I'm not going to claim that the MASCHAPv2 is the best password based challenge/response protocol in the world. Paul
Current thread:
- MS Chap v2 analysis Paul Leach (Jul 07)
- Re: MS Chap v2 analysis David Wagner (Jul 12)
- <Possible follow-ups>
- Re: MS Chap v2 analysis Burton Rosenberg (Jul 07)
- Re: MS Chap v2 analysis Peter J. Holzer (Jul 08)
- Re: MS Chap v2 analysis Paul Leach (Jul 07)
- Re: MS Chap v2 analysis David Wagner (Jul 12)